Sergey Beryozkin created CXF-6753:
-------------------------------------
Summary: OAuth2 audience support is incomplete
Key: CXF-6753
URL: https://issues.apache.org/jira/browse/CXF-6753
Project: CXF
Issue Type: Bug
Components: JAX-RS, JAX-RS Security
Reporter: Sergey Beryozkin
Assignee: Sergey Beryozkin
Fix For: 3.1.5, 3.2.0
The audience support in the OAuth2 code was done awhile back based on the now expired draft,
and while no standard is available, it is important to update the model now that it is getting
integrated into Fediz/etc. Specifically, a single audience is only supported in the model
while multiple audiences per token are possible.
Token introspection response may include a single or multiple audiences, with a single audience
being allowed to be reported as a non-array (as per JWT audience).
Audience checks need to be updated too. The audience, if reported to the token/authorization
endpoint, will have to be contained in the list of client audiences created during the registration.
This can be relaxed in the future and become more dynamic
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)